Application Security (AppSec) Manager | DevSecOps & Offensive Security

Description

Job Summary: Lead the strategy, implementation, and governance of Application Security, overseeing offensive security initiatives and compliance with secure engineering standards. Key Highlights: 1. Strategic leadership in Application Security and offensive security. 2. Experience with DevSecOps and offensive security in the financial sector. 3. Focus on innovation, security, and efficiency in the financial sector. **Nice to meet you — we are Evertec!** The **Evertec** is a company specialized in **technology for the financial sector**, with over 27 years of operation and presence in 26 countries across Latin America and the Caribbean. Processing over 11 billion transactions annually, we are a reference in solutions that drive digital transformation in the market. We offer a comprehensive portfolio of **software solutions**, serving financial institutions, enterprises, and fintechs seeking **innovation, security, and efficiency**. Our commitment is to **technological excellence**, financial inclusion, and sustainable value creation for customers, employees, and partners — fostering a more connected and accessible ecosystem. Requirements: The **Information Security** team is responsible for ensuring robust technical security controls, supporting business areas, and contributing to the continuous reduction of organizational risks. We seek an **Application Security (AppSec) Manager | DevSecOps & Offensive Security** to join our team at Brazil’s largest software and financial-market product development company — where we believe technological innovation inspires evolution. The ***Manager*** will be responsible for leading the Application Security strategy, implementation, and governance, as well as supervising Threat Emulation initiatives, offensive security testing, application hardening, and compliance with secure engineering standards. They will work strategically and hands-on with development, architecture, and product teams to ensure applications and APIs are built resiliently, securely, and aligned with industry best practices for the financial sector. **This role will be responsible for:** * Developing, implementing, and maintaining the Corporate Secure Development Program (SDL/SSDLC), ensuring security from conception through to production of products. * Defining and evolving Application Security standards, including secure code review, guidelines, controls, libraries, and frameworks. * Leading Threat Emulation, Threat Modeling (STRIDE, DREAD, MITRE ATT&CK), and risk-based offensive simulations. * Implementing security pipelines in CI/CD using tools such as SAST, SCA, DAST, and container analysis. * Assessing, advising on, and tracking remediation of vulnerabilities identified in applications, APIs, microservices, and integrations. * Conducting architectural reviews, supporting engineering teams in defining secure standards. Working with the Zero Trust model, ensuring applications and APIs follow strong authentication and authorization principles. * Creating, maintaining, and evolving security mechanisms for APIs, microservices, and distributed applications. * Building automation and governance workflows in ticketing tools for AppSec requests, audits, and demands. * Collaborating with engineering teams to identify, mitigate, and prevent risks in code and architecture. * Performing and supervising internal offensive tests (Threat Emulation), such as targeted pentests, API exploitation, and attack simulations. * Supporting development and SRE teams in applying patches, fixes, and vulnerability mitigations. * Ensuring compliance with financial-sector regulatory standards, including Central Bank regulations, NIST, ISO 27001, OWASP, and audit requirements. * Managing continuous improvement initiatives, elevating AppSec maturity, and acting as an internal technical reference. **To be a #match, this position requires the following mandatory qualifications:** * Proven experience in Application Security (AppSec), including leadership of strategic and technical initiatives. * Practical experience with SDL/SSDLC and integrating security into the software development lifecycle. * Solid knowledge of offensive security applied to applications, including vulnerability analysis, secure code review, APIs, and Threat Modeling. * Experience with DevSecOps practices and tools — such as SAST, SCA, DAST, and container analysis — with emphasis on automation. * Strong understanding of security standards and frameworks (OWASP, NIST, ISO 27001, Zero Trust). * Ability to perform architectural analysis with a focus on secure technical decisions for applications and APIs. * Experience managing multidisciplinary teams. * Bachelor’s degree or higher. * Advanced English proficiency. **The following knowledge or experience would be considered a plus:** * Experience implementing SDL/SSDLC and security in DevOps/DevSecOps environments. SAST, SCA, DAST, IAST, container scanning, and application hardening. * Vulnerability triage and prioritization (CVSS, CWE, OWASP Top 10, API Security Top 10). * Security requirements for APIs and microservices. * Secure code reviews and architectural analysis. * Experience with Threat Modeling, MITRE ATT&CK simulations, and targeted security testing. * Execution or supervision of internal pentests. * Exploitation analysis, attack vectors, logical flaws, and API security. * Advanced experience with Zero Trust applied to applications. * Experience integrating AppSec into DevOps pipelines (Azure DevOps, GitLab, GitHub). * Orchestration tools, APIs, and scripting (PowerShell, Python). Benefits **So, does this resonate with you so far? Then let me tell you what else you’ll find here — beyond a dynamic environment:** * Meal or food allowance; * Flexible benefit (Flash); * Health insurance; * Partners for psychological, legal, financial, and nutritional support (CLUDE, C4LIFE, and ASQ); * Psicologia Viva; * Dental insurance; * Daycare allowance; * Support for children with special needs; * Fertility assistance; * Extended maternity and paternity leave; * Transportation allowance or Home Office allowance (for remote contracts); * Gympass (Wellhub) and TotalPass; * Flexible working hours; * Life insurance; * Partnership club; * Sesc partnership; * Just dress no code (no dress code); * Birthday day off; * Beca (education incentive program); * PPR or Bonus — based on goal achievement and results. We value **diversity**, recognizing that what truly adds value is precisely diverse ideas and perspectives. Therefore, race, color, religion, gender and gender identity, nationality, disability, sexual orientation, ancestry, or age will not prevent you from joining our team.